aedbc9cf49765c6a202179e635d8df19ca4a2f7937550efbc5c041836b19c9b2

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac314903c9cb2973f2f458075722610N.exe
Size

51KB
MD5

1ac314903c9cb2973f2f458075722610
SHA1

8d0345994637d1d38948815197054d61b504750c
SHA256

aedbc9cf49765c6a202179e635d8df19ca4a2f7937550efbc5c041836b19c9b2
SHA512

bca3d27988bd8ca1a6a563537d08966d9a3743793ee259210ebe3b40f70c02e8a98cf13a89b529c9b153d6de62e369d0d603d75ace763d89ad56e99d23b95656
SSDEEP

768:W7BlphA7dASbS7EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeD:W7ZhA7dAIJtvXtvc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	1ac314903c9cb2973f2f458075722610N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ac314903c9cb2973f2f458075722610N.exe

C:\Users\Admin\AppData\Local\Temp\1ac314903c9cb2973f2f458075722610N.exe
"C:\Users\Admin\AppData\Local\Temp\1ac314903c9cb2973f2f458075722610N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
51KB

MD5
e5d9070e6be864e64069170a1d37e46f

SHA1
bc97bbb666457052b7d4c4c9de760addc53e1242

SHA256
d454c8e33a3c2f06103af30367bc369855014b26f5eb6f958d4f46402533e1fa

SHA512
1c9266bd7393410c5aa15dd9acc9c64ff83410e60ef5bfb576756e95ac1b15daf89e34f05ac4323e25f3475af602616e17eaba6da9dea173cfa99f5eeb48f7fa

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
95c3cfc5d930bdb9bcf7882b05f0edb9

SHA1
03dc84ca3ec8d33e986de980560c3dbadd59a459

SHA256
373a135612f5fee80df293d95245193380406010042cacb910d30b240d333b77

SHA512
d14b1efb9892a88bed51bc49ceb48344ca1a0c53342ec2be2714730bfe5c57a3321e19a7873ddd9c9397321551ee35c37853a630fe19e33eed6b6fba32e78da7

Download Submit